On 9/7/10 10:57 AM, James Walker wrote:
On Tue, Sep 7, 2010 at 3:46 AM, Evan Prodromou <[email protected]
I'm not excited about removing those tokens, but... it seems like
less of a big deal for login forms.
I'd like to hear a third opinion, though, before you remove the code.
My understanding is that CSRF protection is not necessary on forms being
filled out by anonymous users. I know that when we were dealing with
this in Drupal we ended up only salting forms for logged in users.
For actions that can be abused and which one might want to put an IP
block on (say, comment posting or account registration) a CSRF token can
still be useful since it cuts down on the possibility of using a
malicious web script to evade IP blocks.
It's less of an issue for login here for two reasons: first, the correct
credentials actually need to be provided for the action to succeed, so
the main danger is use in brute-forcing passwords. But, since you can
already run password credentials through the API with no token, it
doesn't actually add any protection.
Agreed that it's reasonably safe to remove here. (But on general
principle we should make sure we improve brute-force password guessing
protection.)
-- brion vibber (brion @ status.net)
_______________________________________________
StatusNet-dev mailing list
[email protected]
http://lists.status.net/mailman/listinfo/statusnet-dev
